Accident Sequence Precursors for Nuclear Reactors

Nuclear Energy Activist Toolkit #48

I answer hundreds of questions each year from people living close to nuclear plants, reporters, staff members of local, state, and federal officials, and colleagues about a wide array of nuclear safety issues. The queries provide me useful insight about the topics of most interest to people.

I have not compiled a list of the questions and tallied how often they arise. The NRC and the nuclear industry create lists of Frequently Asked Questions, or FAQs in their acronym-obsessed world. (Andy Rooney might have asked “Did you ever wonder why they don’t call them Frequently Answered Questions, or FAQs?”) I lack statistical data, but certain questions get asked almost every day, some pop up on a weekly basis, others monthly, a handful once every blue moon and so on down to this NAQ (Never Asked Question):

How does the NRC determine which events become accident sequence precursors?

To prevent it from also being a Never Answered Question, here’s the answer to the question that no one ever asks.

The NRC defines an accident sequence precursor (ASP) as “an observed event and/or condition at a plant, when combined with one or more postulated events (e.g., equipment failures, human errors), could result in core damage.”

The NRC does not combine events and conditions with just any old postulated events. If they paired every event and condition with the postulated rupture of the reactor vessel that makes it impossible to cool the nuclear core and prevent it from melting down, then everything would become an accident sequence precursor. Thus, a burned-out light bulb in an office building at the nuclear plant would become an accident sequence precursor. So, how does the NRC properly pair postulated problems with plant problems to prevent precursor proliferation?

The NRC uses a screening process to sort ASPs from non-ASPs. During Fiscal Year 2013 (FY13), this process identified 17 ASPs from among 458 candidates. Less than four percent of the candidates had what it takes to become ASPs.

ASP Screen #1

For FY13, the initial screening test eliminated 334 candidates (72.9%) that failed to meet the potential risk criteria. The initial screening test uses checklists to determine whether the design features installed at the plant to mitigate an event or condition remained functional. If yes, the candidate gets screened out. When one or more additional impairments might have teamed up to worsen the event or condition, further evaluation is performed.

ASP Screen #2

Another 72 candidates (15.7%) were eliminated by the second screening test, the Significance Determination Process (SDP) outcome. The NRC employs a four-color classification for the severity of events and conditions—green, white, yellow, and red in increasing risk. A green determination by the SDP indicates the event or condition has minor safety significance and provides grounds for it to be rejected as an ASP. In other words, the green determination pre-screens the items from further ASP consideration. Fifty-two items (11.4%) got past the first two screening tests and warranted further evaluation in FY13.

ASP Screen #3

Analysts eliminated 8 candidates (1.7%) for reasons specified above from the annual ASP report. Most often, analysts eliminated candidates that were accounted for or bound by another event or condition. Two candidates were eliminated on technicalities—the ASPs by definition are events or conditions that might lead to reactor core damage. The item involving containment degradation is decoupled with something leading to core damage. And the item from Wolf Creek was eliminated because, at the time of the event, the reactor core had been entirely offloaded into the spent fuel pool.

ASP Screen #4

For FY13, 44 candidates (9.6%) got through the first three screening tests and were subjected to heavy-duty analysis using the computer code SAPHIRE—Systems Analysis Programs for Hands-on Integrated Reliability Evaluation. SAPHIRE can’t tell you whether it’s going to rain tomorrow or pick winning lottery numbers, but it can discern ASPs from ASP wannabes. Analysts input parameters associated with the specific event or condition (i.e., widget X malfunctioned, widgets Y and Z were out of service for maintenance at the time, etc.) and run SAPHIRE. The code pulls applicable information from human and equipment performance databases to estimate the reliability of the systems and operator actions needed to prevent reactor core damage from occurring. SAPHIRE computes the Conditional Core Damage Probability (CCDP) of core damage occurring if the event or condition happens.

Given that the event or condition did NOT result in reactor core damage, how could SAPHIRE estimate any CCDP other than zero?

Consider the March 22, 1975, fire at the Browns Ferry nuclear plant in Alabama. A worker using a candle to check for air leaks in the room directly below the control room for the Unit 1 and 2 reactors started a fire that blazed for over six hours. Electrical cables connecting switches and gauges in the control room to equipment throughout the plant passed through the floor into this room. The fire damaged the cables for all the emergency core cooling equipment for Unit 1 and much of this equipment for Unit 2. Workers took measures like getting cable reels from the warehouse and jury-rigging temporary power connections to non-emergency pumps in order to get enough makeup water to the reactor pressure vessels to prevent dual meltdowns.

But that successful outcome was far from guaranteed—there were no requirement that the warehouse always be stocked with ready spares; the alternate power supplies and pumps were not tested and inspected as thoroughly as safety components and therefore had a higher chance of failing when needed; and the workers had little time margin to execute their ad hoc fixes which could have been eliminated by a single mistake or miscommunication along the way. In 1982, the NRC reported a 39% likelihood that reactor core damage would result should another fire disable that amount of equipment based on its assessment of the CCDP for the Browns Ferry fire.

Returning to the NAQ, SAPHIRE determined that 27 candidates (5.95) in FY13 had CCDP values below the ASP program’s threshold of 1×10-6. In other words, each of these 27 candidates was estimated to lead to reactor core damage less than one time in a million attempts.

Between 1969 and 2005, a total of 63,005 events and conditions were evaluated via this ASP process. Only 262 items (0.42%) exceeded the of 1×10-6 threshold. For detail aficionados, 237 exceeded 1×10-5, 166 exceeded 1×10-4, 26 exceeded 1×10-3, five exceeded 1×10-2, and three exceeded 1×10-1 (including the Browns Ferry fire).

Bottom Line

Perhaps a more appropriate question to ask and answer is:

Why does the NRC determine which events become accident sequence precursors?

The events and conditions determined to be ASPs are often included in the NRC’s annual report to the U.S. Congress on abnormal occurrences. The ASPs also feed into the NRC’s Industry Trends Program. This program seeks to identify emerging adverse trends so as to trigger appropriate changes to regulations and/or oversight procedures needed to stem declining safety levels. The SAPHIRE computer analyses conducted in ASP Screen #4 can provide useful feedback on risks and risk modeling.

The 1969-2005 data resulted in 0.42% of the events and conditions becoming ASPs while 3.7% of the FY13 events and conditions became ASPs—a nearly ten-fold increase in the rate. This marked increase might suggest that more high risk things are occurring as plants age or that NRC has sharpened its computerized pencil resulting in CCDP inflation. Perhaps, but the primary reason for the change is that the NRC has increased the reporting threshold, reducing the number of obviously low risk items eliminated by ASP Screen #1.

The major source of events and conditions enter the ASP screening process from licensee event reports (LERs) submitted to the NRC by plant owners per federal regulations. Over the years, the NRC has revised its regulations and associated guidance to essentially pre-screen reporting of event and conditions with low safety significance. But for these reporting threshold changes, the contemporary ASP rate would most likely be very close to the historical rate.

A quick check of the LERs reported annually using the NRC’s online LER search engine confirms this explanation. Plant owners submitted 3,861 LERs to the NRC during 1981. A decade later, owners submitted 1,911 LERs—about half the 1981 total—to the NRC. By 2001, the LER submissions had dropped to 372. Plant owners submitted 370 LERs to the NRC during FY13—less than one-tenth of the number of LERS in 1981. Thus, the ASP rate change is more attributable to changes in reporting and accounting practices than to underlying performance changes.

Perhaps the most appropriate question to ask and answer is:

Why does the NRC apply so much effort to the accident sequence precursor program?

I don’t know. The ASP program is about as useful as an appendix on a mannequin. The ASP process takes so long that by the time it is done, all the corrective measures needed both at the plant and across the industry have already been identified and either implemented or planned. I am unaware of any ASP inquiry that revealed some facet or problem not identified months if not years earlier. Likewise, no ASP outcome has been cited as grounds for accelerating or delaying implementation of remedies. Thus, the ASP outcomes and numbers have no bearing on what gets done and when it gets done.

But I won’t pull the “why do they bother with ASP” string too far. Doing so might prompt me to ask why I bothered to write this ASP blog post (and you to ask why you read it).

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments

Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

Dr. John Miller

That the number of Licensee Event Reports in 2001 (372) was only one percent of the number 20 years earlier (3861) is a striking fact that needs an explanation. Have operators solved 99 percent of the causes of LERS? If not, why are they not reporting 99 percent of the real causes of LERs? Has the safety culture eroded? I consider this a big deal, something that must be explained.

Dave Lochbaum

Two factors primarily explain the drop in LER tallies, but I’ve not seen any quantitative or qualitative analysis suggesting the extent of the role either played. But as illustrated by the left-hand side of the bathtub curve of failure rate vs. lifetime, there is a learning curve. As problems surfaced and were reported via LERs, their fixes reduced the recurrence of the problems and associated LERs. The other factor involved accounting. Initially, requirements that used to be contained in the technical specifications portion of operating licenses were relocated, with the NRC’s permission, to other documents. For example, fire protection and mechanical snubbers were in technical specifications but now are not. Fire protection equipment and snubber problems still have to be fixed when identified, but they seldom now have to be reported to the NRC as LERs. Another accounting change involved the LER reporting threshold itself. This threshold has been revised upward a few times over the past decades. NRC’s UREG-1022 and its revisions describe what problems no longer have to be reported via LERs. So, the reductions are due both to the fact that problems are recurring less frequently and that many problems that still occur no longer have to be reported to the NRC. Dave Lochbaum